EAP-TLS.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC. 它属于网络安全的 网络安全 分类。

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC.

EAP-TLS, defined in RFC 5216, is the EAP method used by 802.1X-authenticated networks (enterprise Wi-Fi, wired NAC) to mutually authenticate a supplicant (client) and an authentication server (typically RADIUS) using X.509 certificates. The handshake is essentially a TLS handshake tunnelled inside EAP frames between the supplicant and the RADIUS server (with the access point or switch acting as transparent authenticator), with both parties presenting client and server certificates. Because there is no password to phish, lose, or reuse, EAP-TLS is widely considered the gold standard for enterprise network access — it eliminates entire classes of attacks (Evil Twin / Karma password-stealing rogue APs, MS-CHAP downgrade, RADIUS shared-secret abuse) and provides phishing-resistant authentication at the L2/L3 boundary. Operational cost is higher than EAP-PEAP-MSCHAPv2 because it requires PKI: issuing, distributing, renewing, and revoking client certificates for users and devices, typically via Intune SCEP/NDES, Jamf, AD CS, or a SaaS PKI. EAP-TLS is required by many zero-trust network-access designs and recommended by NCSC, CISA, and SANS for wireless authentication.

针对 EAP-TLS 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: RFC 5216, 802.1X EAP-TLS。